From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 25 Jul 2025 13:18:23 +0000 (+0200)
Subject: Test adding ede with rpz cname override policy
X-Git-Tag: v9.21.11~9^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4ef00f97d6806622a833a9c7b9e414a5ddaa19f0;p=thirdparty%2Fbind9.git

Test adding ede with rpz cname override policy

When the zone is configured with a CNAME override policy, the EDE code
is not added as expected. Add a test case based on the issue in GitLab
(#5342).

When the zone contains a wildcard CNAME, the EDE code is not added as
expected. Also add a test case for this.
---

diff --git a/bin/tests/system/rpz/ns3/evil-cname.db.in b/bin/tests/system/rpz/ns3/evil-cname.db.in
new file mode 100644
index 00000000000..b3c64260170
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/evil-cname.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ test
+;   This basic file is copied to several zone files before being used.
+;   Its contents are also changed with nsupdate
+
+
+$TTL 300
+@					SOA	evil-cname.  hostmaster.ns.evil-cname. ( 1 3600 1200 604800 60 )
+					NS	ns.tld3.
+
+evil.tld2				CNAME	a12.tld2.
diff --git a/bin/tests/system/rpz/ns3/named.conf.in b/bin/tests/system/rpz/ns3/named.conf.in
index cfb66cfea82..66f65fc1307 100644
--- a/bin/tests/system/rpz/ns3/named.conf.in
+++ b/bin/tests/system/rpz/ns3/named.conf.in
@@ -51,6 +51,8 @@ options {
 	    zone "bl.tld2";
 	    zone "manual-update-rpz"	ede forged;
 	    zone "mixed-case-rpz";
+	    zone "evil-cname"  policy cname a12.tld2. ede blocked;
+	    zone "wild-cname"  ede blocked;
 	}
 	add-soa yes
 	min-ns-dots 0
@@ -150,6 +152,16 @@ zone "static-stub-nomatch." {
 	server-addresses { 10.53.0.10; };
 };
 
+zone "evil-cname" {
+	type primary;
+	file "evil-cname.db";
+};
+
+zone "wild-cname" {
+	type primary;
+	file "wild-cname.db";
+};
+
 # A faulty dlz configuration to check if named with response policy zones
 # survives a certain class of failed configuration attempts (see GL #3880).
 # "dlz" is used because the dlz processing code is located in an ideal place in
diff --git a/bin/tests/system/rpz/ns3/wild-cname.db.in b/bin/tests/system/rpz/ns3/wild-cname.db.in
new file mode 100644
index 00000000000..6d746acfa50
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/wild-cname.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ test
+;   This basic file is copied to several zone files before being used.
+;   Its contents are also changed with nsupdate
+
+
+$TTL 300
+@					SOA	wild-cname.  hostmaster.ns.wild-cname. ( 1 3600 1200 604800 60 )
+					NS	ns.tld3.
+
+*.evil.tld2				CNAME	*.wc.tld4.
diff --git a/bin/tests/system/rpz/ns4/tld4.db b/bin/tests/system/rpz/ns4/tld4.db
index fca419c6ddc..e65dd94a332 100644
--- a/bin/tests/system/rpz/ns4/tld4.db
+++ b/bin/tests/system/rpz/ns4/tld4.db
@@ -64,3 +64,5 @@ a3-8.tld2	A	58.58.58.58
 a3-9.sub9.tld2	A	59.59.59.59
 
 a3-10.tld2	A	60.60.60.60
+
+*.wc		A	61.61.61.61
diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
index 1345e2e13f1..6286cdd2453 100644
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -44,6 +44,9 @@ done
 cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db
 cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db
 
+cp ns3/evil-cname.db.in ns3/evil-cname.db
+cp ns3/wild-cname.db.in ns3/wild-cname.db
+
 cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db
 
 # a zone that expires quickly and then can't be refreshed
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 21f91c6e279..36c10ca95e5 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -687,6 +687,16 @@ echo_i "checking the configured extended DNS error code (EDE) (${t})"
 $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t || setret "failed"
 grep -F "EDE: 4 (Forged Answer)" dig.out.$t >/dev/null || setret "failed"
 
+t=$((t + 1))
+echo_i "checking the configured extended DNS error code, CNAME override (EDE) (${t})"
+$DIG -p ${PORT} @$ns3 evil.tld2 >dig.out.$t || setret "failed"
+grep -F "EDE: 15 (Blocked)" dig.out.$t >/dev/null || setret "failed"
+
+t=$((t + 1))
+echo_i "checking the configured extended DNS error code, wildcard CNAME override (EDE) (${t})"
+$DIG -p ${PORT} @$ns3 foo.evil.tld2 >dig.out.$t || setret "failed"
+grep -F "EDE: 15 (Blocked)" dig.out.$t >/dev/null || setret "failed"
+
 # reload a RPZ zone that is now deliberately broken.
 t=$((t + 1))
 echo_i "checking rpz failed update will keep previous rpz rules (${t})"
diff --git a/bin/tests/system/rpz/tests_sh_rpz.py b/bin/tests/system/rpz/tests_sh_rpz.py
index 85f15e8a767..26eef24d18e 100644
--- a/bin/tests/system/rpz/tests_sh_rpz.py
+++ b/bin/tests/system/rpz/tests_sh_rpz.py
@@ -36,11 +36,13 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/bl-wildcname.db",
         "ns3/bl.db",
         "ns3/bl.tld2.db",
+        "ns3/evil-cname.db",
         "ns3/fast-expire.db",
         "ns3/manual-update-rpz.db",
         "ns3/mixed-case-rpz.db",
         "ns3/named.conf.tmp",
         "ns3/named.stats",
+        "ns3/wild-cname.db",
         "ns5/bl.db",
         "ns5/empty.db",
         "ns5/empty.db.jnl",